Yubico

Yubico

If you are looking for something that, in itself, is about as innovative as it gets, look no further. YubiKey is a very simple, inexpensive authentication token that works with open source software to provide strong authentication to networks and applications over the internet. For $25 (single unit price), you can have strong authentication to Google, WordPress and TrueCrypt to name just a few. Implementation is reasonably simple and there are numerous free authentication servers that you can use with the YubiKey.

The YubiKey is a very small - it fits on your key ring - USB key with a touch-sensitive sensor in the middle of it. The key contains one of two authentication schemes. The default is a one-time passcode that works with an authentication server. Optionally, the key can be configured with a static key. It comes with an administration program for setting it up. The standard YubiKey passcode is a 44-character one-time code. The key communicates with the authentication server, which generates a passcode back to the device or the network authenticated to. The key also supports six- or eight-digit one-time OATH passwords.

Because much of the authentication software is free, it is easy to set up an authentication server within the enterprise. The YubiKey generates a one-time code to the server that authenticates the user and generates login credentials as appropriate. The key, therefore, provides strong single sign-on authentication for as little as $15 per key in quantities from 100 to 500. The key can be ordered online.

There are a lot of benefits to the YubiKey. First, it is cheap. It is cheap to buy and cheap to use and support. Second, it can use open source authentication software. That means that you can build a token-based authentication scheme for very little money. Third, it has no battery, so there is no ongoing maintenance cost. If the YubiKey dies - which it shouldn't - just replace it.

Also, it is about as easy to use as anything I can imagine. There is no on-board software required for the user's PC and all the user need do is plug it into the USB port and touch the spot on the key. The spot lights up when the user plugs the key into the USB port to tell the user that the key is working and also where to touch the key to generate a passcode. Of course, there is no passcode to remember since it is automatic one-time authentication.

There are some inexpensive tokens, to be sure, but virtually all require a reader. The YubiKey does not since it uses the USB port on your computer. Certainly the YubiKey is far less expensive and easier to use than time-based tokens. The question, of course, is does the YubiKey provide the same level of protection as a time-based token that costs three to four times as much? Probably not, but that really is the wrong question. The right one is what level of protection and access control do you really need?

My personal feeling is that I probably would not use YubiKey to secure the administrator account on a Department of Defense classified network. Since there are full credentials on the YubiKey, you really need some additional code or identifier (something you know) leaving the YubiKey as something you have. But, that is fine for over 90 percent of all applications. We do the same thing daily with our bank ATM cards and they don't generate one-time codes encrypted using AES.

One word about static codes. The YubiKey is able to generate a static code that, since it acts much like a USB keyboard, simply generates the code you program into it as if it was typed on your keyboard. That means that if someone steals your YubiKey they can generate your static passcode without knowing anything and you are compromised. That does not obviate the usefulness of the static mode. In fact, I use it for a couple of specialized applications.

However, there is a bit of extra care you need to take. First, the rationale for using the static option is that you want a long, complicated passcode that is nearly impossible to guess or brute-force with commonly available technology. To protect against the possibility that I might lose my YubiKey, I prepend a PIN. So when I use the static YubiKey, I type in the PIN and then touch the dot on the key and I login with a 20+ character passcode. I keep a copy of the full passcode in my Password Safe.

Does YubiKey solve all authentication problems? No, but most of the ones it cannot solve appear to be at the very high end of the security spectrum. YubiKey is the authentication token for the rest of us.

Company: Yubico
https://www.yubico.com/home/index/

Cost: Starts at $25 per key.

The problem it solves: Strong authentication for all types of users at a very low price using open source software.

What we liked: Price/performance is unheard of for hardware token-based authentication.

What we didn't like: One of its biggest advantages is also a minor drawback. At its tiny size it is easy to misplace. Put this on your key ring or take the chance that you'll lose it.